Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking nd-booking allows PHP Local File Inclusion.This issue affects Hotel Booking: from n/a through <= 3.6.
Published: 2025-05-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an inadequate validation of filenames used in PHP include or require statements within the Hotel Booking plugin. This flaw allows an attacker to supply a crafted path that causes the server to load or execute local files. When exploited, an attacker can read sensitive files on the server, and if local files that contain executable code are included, arbitrary code execution might be achieved, compromising the confidentiality, integrity, and availability of the website.

Affected Systems

The affected product is the nicdark Hotel Booking plugin for WordPress, versions from the earliest release through version 3.6 inclusive. Users running any 3.6 or earlier build are potentially vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, but the EPSS score is less than 1%, reflecting a low current exploitation probability. It is not listed in CISA’s KEV catalogue. The attack likely requires the ability to influence the file path used for inclusion, which may be through a user-supplied parameter in the plugin’s interface; this suggests a local or authenticated vector rather than a direct remote exploit. Given the high CVSS and potential for full code execution, the risk remains significant despite the low EPSS.

Generated by OpenCVE AI on May 1, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Hotel Booking plugin to the latest available version, which addresses the LFI flaw.
  • If an update is not immediately possible, modify the plugin’s inclusion routines to enforce a strict whitelist of allowed files or to resolve paths against a predefined directory, thereby eliminating the ability to include arbitrary local files.
  • Ensure that the PHP configuration option allow_url_include is disabled and that file system permissions for the site’s directories are restrictive, preventing the exploitation of local files even if an attacker manipulates inclusion paths.

Generated by OpenCVE AI on May 1, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13825 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking nd-booking allows PHP Local File Inclusion.This issue affects Hotel Booking: from n/a through <= 3.6.
Title WordPress Hotel Booking <= 3.6 - Local File Inclusion Vulnerability WordPress Hotel Booking plugin <= 3.6 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00147}

 epss

{'score': 0.0017}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6.
Title WordPress Hotel Booking <= 3.6 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nicdark Hotel Booking
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:42.901Z

Reserved: 2025-05-07T09:39:23.016Z

Link: CVE-2025-47498

cve-icon Vulnrichment

Updated: 2025-05-07T14:46:53.975Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:04.273

Modified: 2026-04-23T15:30:20.393

Link: CVE-2025-47498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T09:00:12Z

Weaknesses